9e90018579650e491ec2a3e6618564d103fdfdc68c367a9211e837dd4917c5f9

Analysis

max time kernel
145s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

082635ce6fc914a3ba378795f2e3fd72_JaffaCakes118.exe
Size

408KB
MD5

082635ce6fc914a3ba378795f2e3fd72
SHA1

34659101d965d271eafb9f8594a25b249690665f
SHA256

9e90018579650e491ec2a3e6618564d103fdfdc68c367a9211e837dd4917c5f9
SHA512

05070223821df10c3054a3b6bf3d3d0fa32e1a85fb8ef05ac6edb9425d74735b4b29a4472684ad5ec7ace96c0fea416202a631fd223d4fdab14fe7c3c73d9bb7
SSDEEP

6144:BLDuvl52KDchS3JZgIYo/b6TrOPFAVCYRq3ncBxR:BLOl5J53jYoTwrOPFAVJq3cd

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12744	dwm.exe
Token: SeChangeNotifyPrivilege	12744	dwm.exe
Token: 33	12744	dwm.exe
Token: SeIncBasePriorityPrivilege	12744	dwm.exe
Token: SeShutdownPrivilege	12744	dwm.exe
Token: SeCreatePagefilePrivilege	12744	dwm.exe
Token: SeShutdownPrivilege	12744	dwm.exe
Token: SeCreatePagefilePrivilege	12744	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 3392	876	082635ce6fc914a3ba378795f2e3fd72_JaffaCakes118.exe	80
PID 876 wrote to memory of 3392	876	082635ce6fc914a3ba378795f2e3fd72_JaffaCakes118.exe	80
PID 876 wrote to memory of 3392	876	082635ce6fc914a3ba378795f2e3fd72_JaffaCakes118.exe	80
PID 3392 wrote to memory of 2800	3392	cmd.exe	82
PID 3392 wrote to memory of 2800	3392	cmd.exe	82
PID 3392 wrote to memory of 2800	3392	cmd.exe	82
PID 3392 wrote to memory of 5052	3392	cmd.exe	83
PID 3392 wrote to memory of 5052	3392	cmd.exe	83
PID 3392 wrote to memory of 5052	3392	cmd.exe	83
PID 3392 wrote to memory of 720	3392	cmd.exe	85
PID 3392 wrote to memory of 720	3392	cmd.exe	85
PID 3392 wrote to memory of 720	3392	cmd.exe	85
PID 3392 wrote to memory of 2712	3392	cmd.exe	86
PID 3392 wrote to memory of 2712	3392	cmd.exe	86
PID 3392 wrote to memory of 2712	3392	cmd.exe	86
PID 3392 wrote to memory of 972	3392	cmd.exe	87
PID 3392 wrote to memory of 972	3392	cmd.exe	87
PID 3392 wrote to memory of 972	3392	cmd.exe	87
PID 3392 wrote to memory of 3100	3392	cmd.exe	89
PID 3392 wrote to memory of 3100	3392	cmd.exe	89
PID 3392 wrote to memory of 3100	3392	cmd.exe	89
PID 3392 wrote to memory of 2640	3392	cmd.exe	91
PID 3392 wrote to memory of 2640	3392	cmd.exe	91
PID 3392 wrote to memory of 2640	3392	cmd.exe	91
PID 3392 wrote to memory of 3372	3392	cmd.exe	92
PID 3392 wrote to memory of 3372	3392	cmd.exe	92
PID 3392 wrote to memory of 3372	3392	cmd.exe	92
PID 3392 wrote to memory of 3384	3392	cmd.exe	93
PID 3392 wrote to memory of 3384	3392	cmd.exe	93
PID 3392 wrote to memory of 3384	3392	cmd.exe	93
PID 3392 wrote to memory of 2324	3392	cmd.exe	94
PID 3392 wrote to memory of 2324	3392	cmd.exe	94
PID 3392 wrote to memory of 2324	3392	cmd.exe	94
PID 3392 wrote to memory of 2924	3392	cmd.exe	95
PID 3392 wrote to memory of 2924	3392	cmd.exe	95
PID 3392 wrote to memory of 2924	3392	cmd.exe	95
PID 3392 wrote to memory of 1120	3392	cmd.exe	96
PID 3392 wrote to memory of 1120	3392	cmd.exe	96
PID 3392 wrote to memory of 1120	3392	cmd.exe	96
PID 3392 wrote to memory of 3464	3392	cmd.exe	98
PID 3392 wrote to memory of 3464	3392	cmd.exe	98
PID 3392 wrote to memory of 3464	3392	cmd.exe	98
PID 3392 wrote to memory of 404	3392	cmd.exe	100
PID 3392 wrote to memory of 404	3392	cmd.exe	100
PID 3392 wrote to memory of 404	3392	cmd.exe	100
PID 3392 wrote to memory of 4496	3392	cmd.exe	101
PID 3392 wrote to memory of 4496	3392	cmd.exe	101
PID 3392 wrote to memory of 4496	3392	cmd.exe	101
PID 3392 wrote to memory of 4640	3392	cmd.exe	102
PID 3392 wrote to memory of 4640	3392	cmd.exe	102
PID 3392 wrote to memory of 4640	3392	cmd.exe	102
PID 3392 wrote to memory of 2108	3392	cmd.exe	105
PID 3392 wrote to memory of 2108	3392	cmd.exe	105
PID 3392 wrote to memory of 2108	3392	cmd.exe	105
PID 3392 wrote to memory of 2464	3392	cmd.exe	106
PID 3392 wrote to memory of 2464	3392	cmd.exe	106
PID 3392 wrote to memory of 2464	3392	cmd.exe	106
PID 3392 wrote to memory of 4004	3392	cmd.exe	107
PID 3392 wrote to memory of 4004	3392	cmd.exe	107
PID 3392 wrote to memory of 4004	3392	cmd.exe	107
PID 3392 wrote to memory of 2480	3392	cmd.exe	108
PID 3392 wrote to memory of 2480	3392	cmd.exe	108
PID 3392 wrote to memory of 2480	3392	cmd.exe	108
PID 3392 wrote to memory of 1788	3392	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\082635ce6fc914a3ba378795f2e3fd72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\082635ce6fc914a3ba378795f2e3fd72_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt36414.bat "C:\Users\Admin\AppData\Local\Temp\082635ce6fc914a3ba378795f2e3fd72_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:720
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:404
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3292
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5224
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5232
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5244
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5276
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5316
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5424
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5528
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5660
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5692
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5728
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5744
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5920
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5928
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5952
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6004
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6040
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6256
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6272
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6288
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6320
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6368
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6480
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6524
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6532
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6564
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6592
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6624
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6668
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6684
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6692
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6920
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6956
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6980
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7000
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7020
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7028
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7036
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6584
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6704
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6780
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7064
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7084
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7176
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7184
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7240
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7256
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7268
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7544
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7652
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7668
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7684
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7704
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7720
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7732
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7748
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7772
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7780
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7796
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7848
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7932
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7952
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7964
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7016
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8212
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8220
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8228
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8236
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8244
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8252
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8260
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8268
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8276
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8284
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8292
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8300
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8308
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8316
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8324
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8332
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8340
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8356
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8372
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8380
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8388
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8396
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8404
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8412
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8420
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8428
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8436
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8444
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8452
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8460
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8484
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8492
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8508
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8564
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8572
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8588
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8600
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8612
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8628
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8644
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8660
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8676
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8692
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8708
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8724
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8740
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8756
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8772
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8788
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8804
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8828
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8844
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8860
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8876
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8892
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10108
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10168
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9156
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10572
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10588
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10596
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10604
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10612
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10620
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10628
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10636
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10644
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10652
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10660
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11008
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11104
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11128
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11136
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11144
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11152
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11160
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11168
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11176
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11184
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11192
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11200
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11208
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11216
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11224
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11232
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11240
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11248
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11256
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9532
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10696
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10672
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10688
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10728
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10712
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11268
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11276
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11284
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11292
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11300
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11308
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11316
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11324
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11332
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11340
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11356
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11364
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11372
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11388
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11404
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11412
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11420
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11428
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11436
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11444
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11452
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11460
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11468
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11476
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11484
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11492
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11500
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11508
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11516
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11524
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11532
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11540
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11548
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11556
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11572
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11588
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11604
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11620
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11628
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11652
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11668
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11684
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11700
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11716
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11740
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11748
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11764
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11792
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11800
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11824
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11840
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11848
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11864
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11888
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11912
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11920
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11944
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11960
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11976
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11992
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12008
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12024
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12040
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12056
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12080
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11132
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12396
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:13308
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 384 -s 5108
1⤵
PID:11556

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 660 -p 11872 -ip 11872
1⤵
PID:4724

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 936 -p 11636 -ip 11636
1⤵
PID:11668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 1008 -p 11832 -ip 11832
1⤵
PID:11476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 816 -p 11756 -ip 11756
1⤵
PID:11824

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bt36414.bat

Filesize
4KB

MD5
b20f9ca0092f42d76612063a67b45849

SHA1
57268612b18688af62108dc42d8424bddc5e55f3

SHA256
a735f2002b060eb5187bc370b19f6e05ca3824c894c6b38c0b26f106dba5b919

SHA512
bcf9fa7ac541c095eb7c2bdc6f0c405043da21b1c4ded818902597d94397d0af15d74b00dc46bdbef6664233e47dfada3b0c918f95d2fe73463989f2304dab25

Download Submit
memory/876-3-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/876-7-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/11840-4-0x0000000000BB0000-0x0000000000C0A000-memory.dmp

Filesize
360KB

Download
memory/11960-6-0x0000000000BB0000-0x0000000000C0A000-memory.dmp

Filesize
360KB

Download
memory/12080-5-0x0000000000BB0000-0x0000000000C0A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads